Command Injection Vulnerability in TP-Link Archer MR600 v5 Firmware
CVE-2025-14756

8.5HIGH

Key Information:

Vendor

Tp-link Systems Inc.

Status
Archer Mr600 V5.0
Vendor
CVE Published:
26 January 2026

What is CVE-2025-14756?

A command injection vulnerability has been identified in the admin interface of TP-Link Archer MR600 v5 firmware. This issue allows authenticated attackers to execute arbitrary system commands through crafted input in the browser developer console. With this ability, an attacker could potentially disrupt services or achieve full system compromise, posing a significant risk to device integrity and security. It is essential for users to apply patches provided by TP-Link to mitigate this vulnerability.

Affected Version(s)

Archer MR600 v5.0 ARM 0 < 1.1.0 0.9.1 v0001.0 Build 250930 Rel.63611n

References

https://www.tp-link.com/jp/support/download/archer-mr600/...
patch
https://www.tp-link.com/en/support/download/archer-mr600/...
patch
https://www.tp-link.com/us/support/faq/4916/
vendor-advisory

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chuya Hayakawa of 00One, Inc.
.